apiVersion: v1 kind: Namespace metadata: name: konflux-ui --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: dex name: dex namespace: konflux-ui --- apiVersion: v1 kind: ServiceAccount metadata: name: proxy namespace: konflux-ui --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dex rules: - apiGroups: - dex.coreos.com resources: - '*' verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: konflux-proxy rules: - apiGroups: - "" resources: - users - groups verbs: - impersonate - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: konflux-proxy-namespace-lister rules: - apiGroups: - "" resources: - namespaces verbs: - list - get --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dex roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dex subjects: - kind: ServiceAccount name: dex namespace: konflux-ui --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: konflux-proxy roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: konflux-proxy subjects: - kind: ServiceAccount name: proxy namespace: konflux-ui --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: konflux-proxy-namespace-lister roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: konflux-proxy-namespace-lister subjects: - kind: ServiceAccount name: proxy namespace: konflux-ui --- apiVersion: v1 data: kite.caddy: "handle_path /api/k8s/plugins/kite/* {\n route {\n forward_auth 127.0.0.1:6000 {\n uri /oauth2/auth\n copy_headers X-Auth-Request-Email X-Auth-Request-Groups\n }\n\t\timpersonate\n\t\tinject_cached_vars\n reverse_proxy https://__KITE_HOSTNAME__ {\n header_up Authorization \"Bearer {http.vars.kube_token}\"\n \ import /mnt/caddy-snippets/backend-tls.conf\n }\n }\n}\n" kubearchive.caddy: "handle_path /api/k8s/plugins/kubearchive/* {\n route {\n \ forward_auth 127.0.0.1:6000 {\n uri /oauth2/auth\n copy_headers X-Auth-Request-Email X-Auth-Request-Groups\n }\n\t\timpersonate\n\t\tinject_cached_vars\n \ reverse_proxy https://__KUBEARCHIVE_HOSTNAME__:8081 {\n header_up Authorization \"Bearer {http.vars.kube_token}\"\n import /mnt/caddy-snippets/backend-tls.conf\n \ }\n }\n}\n" tekton-results.caddy: "handle_path /api/k8s/plugins/tekton-results/* {\n route {\n forward_auth 127.0.0.1:6000 {\n uri /oauth2/auth\n copy_headers X-Auth-Request-Email X-Auth-Request-Groups\n }\n\t\timpersonate\n\t\tinject_cached_vars\n \ reverse_proxy https://__TEKTON_RESULTS_HOSTNAME__:8080 {\n # TODO: switch to {http.vars.backend_token} once Tekton Results\n # accepts the \"konflux-backend\" audience in TokenReview.\n # See backend-token volume in proxy.yaml for context.\n header_up Authorization \"Bearer {http.vars.kube_token}\"\n import /mnt/caddy-snippets/backend-tls.conf\n \ }\n }\n}\n" watson.caddy: | handle_path /api/chatbot/* { route { forward_auth 127.0.0.1:6000 { uri /oauth2/auth copy_headers X-Auth-Request-Email X-Auth-Request-Groups } inject_cached_vars reverse_proxy https://__WATSON_HOST__ { header_up Authorization "Basic {http.vars.watson_auth}" header_up Host __WATSON_HOST__ import /mnt/caddy-snippets/watson-tls.conf } } } kind: ConfigMap metadata: name: proxy-caddy-templates-46ctfh6tk7 namespace: konflux-ui --- apiVersion: v1 data: Caddyfile: "{\n\tauto_https off\n\tadmin off\n\torder inject_cached_vars before reverse_proxy\n\tfile_watcher {\n\t\tcache kube_token /var/run/secrets/konflux-ci.dev/serviceaccount/token\n\t\tcache backend_token /var/run/secrets/konflux-ci.dev/backend/token\n\t\tcache watson_auth /mnt/watson-config/API_KEY {\n\t\t\tdefault \"\"\n\t\t}\n\t\twatch /var/run/secrets/kubernetes.io/serviceaccount\n\t\twatch /mnt/cluster-ca\n\t\twatch /mnt/service-ca\n\t\twatch /mnt/serving-cert\n\t}\n}\n\n# TODO: protect metrics with kube-rbac-proxy sidecar (https://github.com/openshift/kube-rbac-proxy)\n:2112 {\n\tmetrics /metrics\n}\n\n:9443 {\n\ttls {\n\t\tget_certificate file {\n\t\t\tcert /mnt/serving-cert/tls.crt\n\t\t\tkey /mnt/serving-cert/tls.key\n\t\t}\n\t}\n\n\t# Strip any client-supplied impersonation and proxy-auth headers to\n\t# prevent spoofing. This runs at the server level, before any\n\t# handle/route blocks.\n\trequest_header -Impersonate-User\n\trequest_header -Impersonate-Group\n\trequest_header -Impersonate-Uid\n\trequest_header -Impersonate-Extra-*\n\trequest_header -X-User\n\trequest_header -X-Group\n\n\t# Health endpoint for liveness/readiness probes\n\thandle /health {\n\t\trespond 200\n\t}\n\n\t# Segment bridge files\n\thandle /segment/* {\n\t\troot * /opt/app-root/src\n\t\theader Content-Type text/plain\n\t\tfile_server\n\t}\n\n\t# OAuth2 proxy - browser-facing auth UI/callback\n\thandle /oauth2/* {\n\t\treverse_proxy 127.0.0.1:6000\n\t}\n\n\t# Namespace lister (GET only on exact paths)\n\t# The namespace-lister performs in-memory RBAC authorization: it checks\n\t# RoleBindings for the user AND their groups to decide which namespaces\n\t# to return. Without group headers, a user only sees namespaces where\n\t# they are bound individually — group-based bindings are invisible.\n\t@nsListGet {\n\t\tmethod GET\n\t\tpath /api/k8s/api/v1/namespaces /api/k8s/api/v1/namespaces/\n\t}\n\thandle @nsListGet {\n\t\troute {\n\t\t\tforward_auth 127.0.0.1:6000 {\n\t\t\t\turi /oauth2/auth\n\t\t\t\tcopy_headers X-Auth-Request-Email X-Auth-Request-Groups\n\t\t\t}\n\t\t\timpersonate {\n\t\t\t\ttarget_user X-User\n\t\t\t\ttarget_group X-Group\n\t\t\t}\n\t\t\trewrite * /api/v1/namespaces\n\t\t\treverse_proxy https://namespace-lister.namespace-lister.svc.cluster.local:8080 {\n\t\t\t\theader_down -X-Correlation-ID\n\t\t\t\ttransport http {\n\t\t\t\t\tread_timeout 30m\n\t\t\t\t\twrite_timeout 30m\n\t\t\t\t\ttls_trust_pool file /mnt/cluster-ca/ca-bundle.crt\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t# Backend snippets (tekton-results, kubearchive, etc.) loaded from init-generated configs.\n\t# NOTE: Imported snippets MUST use paths more specific than /api/k8s/ to avoid\n\t# shadowing the Kube API catch-all handler below. Caddy evaluates handle blocks\n\t# by specificity (longest path match first), so e.g. /api/k8s/plugins/tekton-results/\n\t# is safe because it is more specific than /api/k8s/.\n\timport /mnt/caddy-snippets/*.caddy\n\n\t# WebSocket to Kube API\n\thandle_path /wss/k8s/* {\n\t\troute {\n\t\t\tforward_auth 127.0.0.1:6000 {\n\t\t\t\turi /oauth2/auth\n\t\t\t\tcopy_headers X-Auth-Request-Email X-Auth-Request-Groups\n\t\t\t}\n\t\t\timpersonate\n\t\t\tinject_cached_vars\n\t\t\treverse_proxy https://kubernetes.default.svc {\n\t\t\t\theader_up Authorization \"Bearer {http.vars.kube_token}\"\n\t\t\t\ttransport http {\n\t\t\t\t\tread_timeout 30m\n\t\t\t\t\twrite_timeout 30m\n\t\t\t\t\ttls_trust_pool file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t# Kube API (catch-all for /api/k8s/)\n\thandle_path /api/k8s/* {\n\t\troute {\n\t\t\tforward_auth 127.0.0.1:6000 {\n\t\t\t\turi /oauth2/auth\n\t\t\t\tcopy_headers X-Auth-Request-Email X-Auth-Request-Groups\n\t\t\t}\n\t\t\timpersonate\n\t\t\tinject_cached_vars\n\t\t\treverse_proxy https://kubernetes.default.svc {\n\t\t\t\theader_up Authorization \"Bearer {http.vars.kube_token}\"\n\t\t\t\ttransport http {\n\t\t\t\t\tread_timeout 30m\n\t\t\t\t\twrite_timeout 30m\n\t\t\t\t\ttls_trust_pool file /var/run/secrets/kubernetes.io/serviceaccount/ca.crt\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t# Dex Identity Provider\n\thandle /idp/* {\n\t\treverse_proxy https://dex.konflux-ui.svc.cluster.local:9443 {\n\t\t\theader_up X-Forwarded-Port \"9443\"\n\t\t\ttransport http {\n\t\t\t\ttls_trust_pool file /mnt/serving-cert/ca.crt\n\t\t\t}\n\t\t}\n\t}\n\n\t# Static SPA (catch-all, must be last)\n\thandle {\n\t\troot * /opt/app-root/src/static-content\n\t\ttry_files {path} /index.html\n\t\tfile_server\n\t}\n}\n" kind: ConfigMap metadata: name: proxy-caddyfile-567h9kth9f namespace: konflux-ui --- apiVersion: v1 data: generate-proxy-config.sh: | #!/bin/sh set -eu TEMPLATES_DIR=/mnt/caddy-templates SNIPPETS_DIR=/mnt/caddy-snippets SERVICE_CA_PATH=/mnt/service-ca/service-ca.crt for cmd in sed getent printf; do command -v "${cmd}" >/dev/null 2>&1 || { echo "required command not found: ${cmd}"; exit 1; } done log() { echo "$(date -Iseconds) generate-proxy-config: $*"; } # resolve_tekton_results outputs the tekton-results hostname. # Env var TEKTON_RESULTS_HOSTNAME takes precedence over DNS probing. resolve_tekton_results() { if [ -n "${TEKTON_RESULTS_HOSTNAME:-}" ]; then echo "${TEKTON_RESULTS_HOSTNAME}" return 0 fi for host in \ tekton-results-api-service.tekton-pipelines.svc.cluster.local \ tekton-results-api-service.openshift-pipelines.svc.cluster.local \ tekton-results-api-service.tekton-results.svc.cluster.local; do if getent hosts "${host}" > /dev/null 2>&1; then echo "${host}" return 0 fi done return 1 } # Process tekton-results template if [ -f "${TEMPLATES_DIR}/tekton-results.caddy" ]; then if hostname=$(resolve_tekton_results); then log "tekton-results resolved to ${hostname}" sed "s/__TEKTON_RESULTS_HOSTNAME__/${hostname}/" \ "${TEMPLATES_DIR}/tekton-results.caddy" > "${SNIPPETS_DIR}/tekton-results.caddy" else log "tekton-results not available, skipping" fi fi # Process kite template if [ "${KITE_ENABLED:-}" = "true" ] && [ -f "${TEMPLATES_DIR}/kite.caddy" ]; then hostname="${KITE_HOSTNAME:-konflux-kite.konflux-kite.svc.cluster.local}" sed "s/__KITE_HOSTNAME__/${hostname}/g" \ "${TEMPLATES_DIR}/kite.caddy" > "${SNIPPETS_DIR}/kite.caddy" log "kite endpoint enabled (${hostname})" fi # Process kubearchive template if [ "${KUBEARCHIVE_ENABLED:-}" = "true" ] && [ -f "${TEMPLATES_DIR}/kubearchive.caddy" ]; then hostname="${KUBEARCHIVE_HOSTNAME:-kubearchive-api-server.product-kubearchive.svc.cluster.local}" sed "s/__KUBEARCHIVE_HOSTNAME__/${hostname}/g" \ "${TEMPLATES_DIR}/kubearchive.caddy" > "${SNIPPETS_DIR}/kubearchive.caddy" log "kubearchive endpoint enabled (${hostname})" fi # Process watson template. # The API_KEY value is cached by file_watcher directly from the mounted Secret; # the init container only generates the Caddy route and TLS snippets. if [ "${WATSON_ENABLED:-}" = "true" ] && [ -f "${TEMPLATES_DIR}/watson.caddy" ]; then watson_host="${WATSON_HOSTNAME:-api.us-east.assistant.watson.cloud.ibm.com}" watson_default_host="api.us-east.assistant.watson.cloud.ibm.com" sed "s/__WATSON_HOST__/${watson_host}/g" \ "${TEMPLATES_DIR}/watson.caddy" > "${SNIPPETS_DIR}/watson.caddy" # Generate watson TLS transport config. # - Default external host: always use system roots with SNI (never skip verification) # - Overridden hostname + service CA: use service CA # - Overridden hostname, no service CA: skip verification (in-cluster self-signed) if [ "${watson_host}" = "${watson_default_host}" ]; then printf 'transport http {\n tls_server_name %s\n}\n' "${watson_host}" \ > "${SNIPPETS_DIR}/watson-tls.conf" log "watson TLS: system roots with SNI (external host)" elif [ -f "${SERVICE_CA_PATH}" ]; then printf 'transport http {\n tls_trust_pool file %s\n}\n' "${SERVICE_CA_PATH}" \ > "${SNIPPETS_DIR}/watson-tls.conf" log "watson TLS: service CA (in-cluster override)" else printf 'transport http {\n tls_insecure_skip_verify\n}\n' \ > "${SNIPPETS_DIR}/watson-tls.conf" log "watson TLS: insecure (in-cluster, no service CA)" fi log "watson endpoint enabled (${watson_host})" fi # Generate TLS transport config for backend services (Tekton Results, KubeArchive, etc.). # On OpenShift, the service-ca-operator injects the CA bundle into a ConfigMap # mounted at SERVICE_CA_PATH. When present, backends are verified against this CA. # Otherwise, fall back to skipping verification (the default for non-OpenShift # clusters; see docs for how to configure cert-manager to issue trusted certs). if [ -f "${SERVICE_CA_PATH}" ]; then printf 'transport http {\n tls_trust_pool file %s\n}\n' "${SERVICE_CA_PATH}" \ > "${SNIPPETS_DIR}/backend-tls.conf" log "using service CA for backend TLS verification" else printf 'transport http {\n tls_insecure_skip_verify\n}\n' \ > "${SNIPPETS_DIR}/backend-tls.conf" log "no service CA found, backend TLS verification disabled" fi log "done" kind: ConfigMap metadata: name: proxy-generate-config-thtfcb7h98 namespace: konflux-ui --- apiVersion: v1 data: run-dex.sh: "#!/bin/bash\n\nset -euo pipefail\n\nORIGINAL_TOKEN=/tmp/var/run/secrets/dex/serviceaccount/token\nTOKEN_PATH=${TOKEN_PATH:-/var/run/secrets/kubernetes.io/serviceaccount/token}\nWAIT_TIME=10\nHALT_TIMEOUT=100\nMAX_JITTER_TIME=10\n\n# auxiliary log function\nlog() { printf \"%s: %s\\n\" \"$(date -Iseconds)\" \"$*\"; }\n\n# forward SIGTERM/SIGINT for graceful shutdown\n#\n# shellcheck disable=SC2329\n# ShellCheck is currently bad at figuring out functions that are invoked via trap\nshutdown() {\n log \"received signal, shutting down\"\n if [ -n \"${dex_pid:-}\" ] && [ -d \"/proc/${dex_pid}\" ]; then\n kill -s TERM \"${dex_pid}\" 2>/dev/null || true\n wait_for_halt || true\n fi\n exit 143\n}\n\nwait_for_halt() (\n counter=0\n \ while [ -d \"/proc/${dex_pid}\" ] && [ $(( counter++ )) -le \"${HALT_TIMEOUT}\" ]; do \n sleep 1\n done\n\n if [ -d \"/proc/${dex_pid}\" ]; then\n return 1\n fi\n return 0\n)\n\nstart_with_reload() {\n while true; do\n # copy the original token for later use\n log \"copying the token to ${ORIGINAL_TOKEN}\"\n \ mkdir -p \"$(dirname \"${ORIGINAL_TOKEN}\")\"\n rm \"${ORIGINAL_TOKEN}\" || true\n cp \"${TOKEN_PATH}\" \"${ORIGINAL_TOKEN}\"\n\n # run dex in a subprocess\n OPENSHIFT_OAUTH_CLIENT_SECRET=\"$(cat \"${ORIGINAL_TOKEN}\")\" \\\n OPENSHIFT_OAUTH_CLIENT_ID=\"${OPENSHIFT_OAUTH_CLIENT_ID:-system:serviceaccount:${NAMESPACE}:${POD_SERVICE_ACCOUNT}}\" \\\n /usr/local/bin/dex serve /etc/dex/cfg/config.yaml &\n dex_pid=\"$!\"\n \ log \"run Dex in background with pid ${dex_pid}\"\n\n # wait for the token to be refresh by kubelet\n log \"waiting for the token to be refreshed\"\n \ while [ \"$(cksum < \"${ORIGINAL_TOKEN}\")\" = \"$(cksum < \"${TOKEN_PATH}\")\" ]; do sleep \"${WAIT_TIME}\"; done\n\n # reduce likelihood of having all replicas refreshing at the same time\n jitter=\"$(( $(od -An -N2 -i /dev/urandom) % MAX_JITTER_TIME ))\"\n log \"sleeping ${jitter} seconds to prevent all replicas to restart at the same time\"\n sleep \"${jitter}\"\n\n # Send SIGTERM to Dex\n log \"token refreshed, halting Dex via SIGTERM\"\n if [ -d \"/proc/${dex_pid}\" ]; then\n kill -s TERM \"${dex_pid}\" || true\n fi\n\n # Wait for Dex to halt\n log \"waiting for Dex to gracefully stop\"\n if ! wait_for_halt; then\n log \"Dex didn't stop in ${HALT_TIMEOUT} seconds, breaking\"\n exit 1\n fi\n done\n\n log \"the loop broke unexpectedly\"\n exit 1\n}\n\nmain() {\n trap shutdown TERM INT\n\n start_with_reload\n}\n\nmain\n" kind: ConfigMap metadata: name: run-dex-f654f6k7th namespace: konflux-ui --- apiVersion: v1 kind: Service metadata: name: dex namespace: konflux-ui spec: ports: - name: dex port: 9443 protocol: TCP targetPort: 9443 selector: app: dex type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app: proxy name: proxy namespace: konflux-ui spec: internalTrafficPolicy: Cluster ipFamilies: - IPv4 ipFamilyPolicy: SingleStack ports: - name: web-tls port: 9443 protocol: TCP targetPort: web-tls - name: metrics port: 2112 protocol: TCP targetPort: metrics selector: app: proxy type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: dex name: dex namespace: konflux-ui spec: progressDeadlineSeconds: 2147483647 replicas: 1 selector: matchLabels: app: dex template: metadata: labels: app: dex spec: containers: - command: - /usr/local/bin/run-dex.sh env: - name: TOKEN_PATH value: /var/run/secrets/konflux-ci.dev/serviceaccount/token - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_SERVICE_ACCOUNT valueFrom: fieldRef: fieldPath: spec.serviceAccountName - name: CLIENT_SECRET valueFrom: secretKeyRef: key: client-secret name: oauth2-proxy-client-secret image: quay.io/konflux-ci/dex@sha256:d065a38902a0103383be31ea96329846b5e44693da349b1192297e087af3db44 livenessProbe: httpGet: path: /healthz/ready port: telemetry initialDelaySeconds: 10 name: dex ports: - containerPort: 9443 name: https - containerPort: 5558 name: telemetry protocol: TCP readinessProbe: httpGet: path: /healthz/ready port: telemetry initialDelaySeconds: 10 resources: limits: cpu: 50m memory: 128Mi requests: cpu: 10m memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true volumeMounts: - mountPath: /tmp name: tmp readOnly: false - mountPath: /var/run/secrets/konflux-ci.dev/serviceaccount/ name: dex-token - mountPath: /usr/local/bin/run-dex.sh name: run-dex subPath: run-dex.sh - mountPath: /etc/dex/cfg name: dex - mountPath: /etc/dex/tls name: tls serviceAccountName: dex volumes: - emptyDir: medium: Memory name: tmp - name: dex-token projected: defaultMode: 288 sources: - serviceAccountToken: expirationSeconds: 600 path: token - configMap: defaultMode: 420 items: - key: config.yaml path: config.yaml name: dex name: dex - configMap: defaultMode: 493 items: - key: run-dex.sh path: run-dex.sh name: run-dex-f654f6k7th name: run-dex - name: tls secret: secretName: dex-cert --- apiVersion: apps/v1 kind: Deployment metadata: annotations: ignore-check.kube-linter.io/no-anti-affinity: Using topologySpreadConstraints labels: app: proxy name: proxy namespace: konflux-ui spec: minReadySeconds: 30 progressDeadlineSeconds: 2147483647 replicas: 1 selector: matchLabels: app: proxy strategy: rollingUpdate: maxSurge: 25% maxUnavailable: 0 template: metadata: labels: app: proxy spec: containers: - command: - caddy - run - --config - /etc/caddy/Caddyfile - --adapter - caddyfile image: quay.io/konflux-ci/reverse-proxy@sha256:c3df1ada200564722a306861dad7b925a786c76983c5bb7c1010f4e76cfa8735 livenessProbe: failureThreshold: 3 httpGet: path: /health port: 9443 scheme: HTTPS initialDelaySeconds: 30 periodSeconds: 60 successThreshold: 1 timeoutSeconds: 1 name: reverse-proxy ports: - containerPort: 9443 name: web-tls protocol: TCP - containerPort: 2112 name: metrics protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /health port: 9443 scheme: HTTPS initialDelaySeconds: 30 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 300m memory: 256Mi requests: cpu: 30m memory: 128Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true volumeMounts: - mountPath: /etc/caddy/Caddyfile name: proxy-caddyfile readOnly: true subPath: Caddyfile - mountPath: /mnt/serving-cert name: serving-cert readOnly: true - mountPath: /var/run/secrets/konflux-ci.dev/serviceaccount name: kube-api-token readOnly: true - mountPath: /var/run/secrets/konflux-ci.dev/backend name: backend-token readOnly: true - mountPath: /mnt/caddy-snippets name: caddy-snippets readOnly: true - mountPath: /mnt/cluster-ca name: cluster-ca readOnly: true - mountPath: /mnt/service-ca name: service-ca readOnly: true - mountPath: /opt/app-root/src/static-content name: static-content - mountPath: /opt/app-root/src/segment name: segment-bridge-config - mountPath: /mnt/watson-config name: watson-config readOnly: true - mountPath: /data name: caddy-data - mountPath: /config name: caddy-config - env: - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: client-secret name: oauth2-proxy-client-secret - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: key: cookie-secret name: oauth2-proxy-cookie-secret image: quay.io/konflux-ci/oauth2-proxy@sha256:a27696d42f3a30ecb6aa7f28917f20626550cc91babafe3cf07b4595e96e228e name: oauth2-proxy ports: - containerPort: 6000 name: web protocol: TCP resources: limits: cpu: 300m memory: 256Mi requests: cpu: 30m memory: 128Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true initContainers: - command: - cp - -R - /opt/app-root/src/. - /mnt/static-content/ image: quay.io/konflux-ci/konflux-ui@sha256:3c720c968b01239a1e49b22a2d758bc45a57450c31148da172edf72c1a65b66f name: copy-static-content resources: limits: cpu: 50m memory: 128Mi requests: cpu: 10m memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true volumeMounts: - mountPath: /mnt/static-content name: static-content - command: - sh - /var/run/scripts/konflux-ci.dev/generate-proxy-config.sh image: quay.io/konflux-ci/konflux-ui@sha256:3c720c968b01239a1e49b22a2d758bc45a57450c31148da172edf72c1a65b66f name: generate-proxy-config resources: limits: cpu: 50m memory: 128Mi requests: cpu: 10m memory: 64Mi securityContext: readOnlyRootFilesystem: true runAsNonRoot: true volumeMounts: - mountPath: /mnt/caddy-templates name: caddy-templates readOnly: true - mountPath: /mnt/caddy-snippets name: caddy-snippets - mountPath: /var/run/scripts/konflux-ci.dev name: generate-proxy-config-script readOnly: true - mountPath: /mnt/service-ca name: service-ca readOnly: true serviceAccountName: proxy topologySpreadConstraints: - labelSelector: matchLabels: app: proxy maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway volumes: - configMap: defaultMode: 488 items: - key: generate-proxy-config.sh path: generate-proxy-config.sh name: proxy-generate-config-thtfcb7h98 name: generate-proxy-config-script - name: kube-api-token projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 600 path: token - name: backend-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: konflux-backend expirationSeconds: 600 path: token - configMap: defaultMode: 420 items: - key: Caddyfile path: Caddyfile name: proxy-caddyfile-567h9kth9f name: proxy-caddyfile - configMap: defaultMode: 420 name: proxy-caddy-templates-46ctfh6tk7 name: caddy-templates - emptyDir: {} name: caddy-snippets - emptyDir: {} name: caddy-data - emptyDir: {} name: caddy-config - name: serving-cert secret: secretName: serving-cert - name: cluster-ca secret: items: - key: ca.crt path: ca-bundle.crt secretName: cluster-root-ref - configMap: name: openshift-service-ca.crt optional: true name: service-ca - emptyDir: {} name: static-content - name: segment-bridge-config secret: items: - key: key path: key - key: url path: url optional: true secretName: segment-bridge-config - name: watson-config secret: optional: true secretName: watson-config --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: cluster-root-ref namespace: konflux-ui spec: commonName: cluster-root-ref dnsNames: - cluster-root-ref.konflux-ui.svc issuerRef: group: cert-manager.io kind: ClusterIssuer name: konflux-issuer secretName: cluster-root-ref --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: dex-cert namespace: konflux-ui spec: dnsNames: - localhost - dex.konflux-ui - dex.konflux-ui.svc.cluster.local isCA: true issuerRef: kind: Issuer name: ui-ca-issuer secretName: dex-cert subject: organizations: - konflux --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: oauth2-proxy-cert namespace: konflux-ui spec: dnsNames: - localhost issuerRef: kind: Issuer name: ui-ca-issuer secretName: oauth2-proxy-cert --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: serving-cert namespace: konflux-ui spec: dnsNames: - localhost - proxy.konflux-ui.svc - proxy.konflux-ui.svc.cluster.local issuerRef: kind: Issuer name: ui-ca-issuer secretName: serving-cert --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ui-ca namespace: konflux-ui spec: commonName: ui-ca isCA: true issuerRef: group: cert-manager.io kind: ClusterIssuer name: konflux-bootstrap-issuer privateKey: algorithm: ECDSA size: 256 secretName: ui-ca --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: ui-ca-issuer namespace: konflux-ui spec: ca: secretName: ui-ca